Integrating Windows Updates into Windows 10 Install Image

In this guide I’ll show how to integrate new Windows update packages into the offline installation image of Windows 10 or Windows 8.1 using built-in tools. The same way you can slipstream the latest security patches into the Windows Server 2012 R2 / 2016 install ISO images.

In this example, I will show the process of adding the latest cumulative security updates (December 2018) to the installation image of Windows 10 1803. So, we will need:

It’s important to make sure that the your Windows OS image and the updates have the same bitness and version, otherwise, when installing the update an error “Update is not applicable to your computer” will appear.

Create the following directory structure on your computer:

C:\updates\mnt is the folder in which the file install.wim with the Windows installation image will be mounted;

C:\updates\msu is a folder in which you need to place the MSU updates for your Windows version (in this example, I downloaded 2 security updates for Windows 10 1803, released in December 2018 – KB4471331 and KB4471324);

C:\updates\Win10Image\ in this folder you need to copy the install.wim file from your Windows 10 install image. In our example, we mounted and unpacked the contents of the original Windows 10 ISO image Windows10x64-1803.iso. However, it can be a wim file from a virtual machine, VM template, WDS image or image stored in another OS automatic deployment software (for example, SCCM), etc.

Tip. If your WIM image contains several versions of Windows at once, in this command you need to specify the index of the required OS version, or integrate updates for every image in turn. You can get the list of Windows editions contained in the WIM file using the command:

DISM /Get-WimInfo /WimFile:C:\updates\Win10\install.wim

In our example, the image contains only one OS edition – the Windows 10 Pro with the index 1, therefore in the command we need specify install.wim /index:1.

Now you can run the integration of suitable MSU updates located in the specified directory into the Windows 10 image:

dism /image:C:\updates\mnt /add-package /packagepath:C:\updates\msu

If the system detects a wrong update (a one that is not suitable for this OS version and bitness, or if the update is already installed), it will be ignored and the corresponding information will be written to C:\Windows\Logs\DISM\dism.log.

To reduce the size of an image by deleting old update files (see the article about the WinSxS folder cleanup), run the command:

If you already have a computer with a similar version of Windows 10 that already has the latest security updates installed, you can get all the necessary update files directly from it. In this case, you don’t need to manually download MSU update files from the Microsoft Update Catalog. The trick is that Windows saves CAB files of the updates that have been downloaded from Windows Update servers or a WSUS server to the C:\Windows\SoftwareDistribution\Download folder.

Using the following command, you will start integration into the install.wim image of update files that have already been downloaded and installed on another computer via the local network:

In this example, Win10x64AlreadPatchedPC is the name of the remote computer on which the necessary updates are already installed (the OS version and bitness must match). Of course, this computer should be accessible over the network, and your account should be added to the local administrators group on it. In the window that opens, you can watch the process of installing updates to the offline Windows image. DISM will try to add to your WIM image each found CAB file on a remote computer.

If you encounter an error while integrating updates into a Windows image: “Error 0xc0000135 An error occurred while attempting to start the servicing process for the image located at C:\Update\mount. For more information, review the log file”, make sure you are using the latest version of DISM. For example, you are trying to modify a Windows Server 2016 image from Windows 8.1. Install the latest available version Windows Assessment and Deployment Kit (Windows ADK) for your OS and run DISM directly from the catalog C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM.

And the last step is to save the changes and unmount the Windows 10 image:

dism /unmount-wim /mountdir:C:\updates\mnt /commit dism /Cleanup-Wim

You only have to copy install.wim to the source directory/virtual machine or rebuild the installation ISO image, e. g., using oscdimg,UltraISO or Dism++.

If the size of your install.wim file is more than 4 GB you may encounter the error “Windows cannot open the required file D:\sources\install.wim. Error code: 0x8007000D” during Windows install on the UEFI system. In this case, you need to split the source install.wim into smaller files with the command:

Now you can deploy your Windows install image with the latest security updates integrated on a computers in your network. By regularly integrating the latest security updates into your Windows image deployed on new computers, you increase the security of your infrastructure against the latest vulnerabilities and reduce the risk of infecting new computers until they start updating from WSUS.